MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ce3569751cdb290358824f5e2c341bdd73de729c9c995ca901417684bb1a0c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ce3569751cdb290358824f5e2c341bdd73de729c9c995ca901417684bb1a0c5
SHA3-384 hash: cf794b91a7710459499881594fd69804ed5d7e002b684aec8ad955141e07267b6e5258ec1f7a6ce38780a8c50f277eea
SHA1 hash: e1dd04402e1cabd6e2d4e51944506dbb690c0c59
MD5 hash: 7fc6ad338950135c2a686374226c5a05
humanhash: magnesium-pluto-lithium-indigo
File name:7fc6ad338950135c2a686374226c5a05.exe
Download: download sample
Signature njrat
Create hunting rule
File size:482'812 bytes
First seen:2023-02-26 07:40:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 12288:T2ghLvPhXpe3PliT+tcun48M1YlsCcpnN:1XhZgPlou4P1YWP
Threatray 449 similar samples on MalwareBazaar
TLSH T140A4F142FAD1C4B2D53209324A19AB51757CBD302F25CE6FB3D86E2DDA341D0A325BA7
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
18.197.239.5:15768

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
7fc6ad338950135c2a686374226c5a05.exe
Verdict:
Malicious activity
Analysis date:
2023-02-26 07:43:45 UTC
Tags:
rat njrat bladabindi trojan
Link:
https://app.any.run/tasks/6474ee52-5638-484a-90bd-4ca261012c20

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369781/
Detection(s):
SecuriteInfo.com.LuheRARDropper.19200.30796.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Sending a custom TCP request
Creating a process with a hidden window
Enabling the 'hidden' option for files in the %temp% directory
DNS request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63fb0d0f885563d6c8bc089e/reports/28e568d4-fcdc-4dc7-aab6-60893a367824/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/1ce3569751cdb290358824f5e2c341bdd73de729c9c995ca901417684bb1a0c5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41c8d66f-7f30-4d0a-bb2a-200e7fe9cc85
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1182536
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 815367 Sample: n8znLYCNUI.exe Startdate: 26/02/2023 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 5 other signatures 2->44 10 n8znLYCNUI.exe 13 2->10         started        process3 file4 28 C:\Users\user\AppData\...\Server.sfx.exe, PE32 10->28 dropped 13 cmd.exe 1 10->13         started        process5 process6 15 Server.sfx.exe 9 13->15         started        18 conhost.exe 13->18         started        file7 30 C:\Users\user\AppData\Local\...\Server.exe, PE32 15->30 dropped 20 Server.exe 1 4 15->20         started        process8 dnsIp9 32 18.156.13.209, 15768, 49746, 49749 AMAZON-02US United States 20->32 34 18.157.68.73, 15768, 49723, 49724 AMAZON-02US United States 20->34 36 4 other IPs or domains 20->36 46 Antivirus detection for dropped file 20->46 48 Multi AV Scanner detection for dropped file 20->48 50 Machine Learning detection for dropped file 20->50 52 2 other signatures 20->52 24 netsh.exe 3 20->24         started        signatures10 process11 process12 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ce3569751cdb290358824f5e2c341bdd73de729c9c995ca901417684bb1a0c5/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-01-21 12:03:18 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
14 of 39 (35.90%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dtrvnf2rzwzjanmiet26fq2bxxlt3zzjzhezlsuqcqlwqs5rudcq._file
Verdict:
unknown
Similar samples:
1620114c000809b11104adbadb3df7ac989d9c7bc5e7da5acb0ffc9c5cb05c14
njrat
30898e79c019a359c6bc25a0217531494c12cfe62384beadc861eb622b811378
njrat
4081406d27f30f1dd68fca09d23aa9db54af4ea4fccfa3c486c5aa31ff772054
njrat
5623df29bdeb9756ab512f3c77dd11725878939a0b8d98726798d8604ab60dfa
njrat
7ff666b15df670047eaa593d038013a5ad809aaef174abe50e85bf4962a1366b
njrat
8500f1744e517dfa7e8f0e08aeea29ca2625695ee2b90653a007edd1be838f54
njrat
9cd5a28728147661323d8ff925112d951db1bd04764620c08cd2aeba1392d958
njrat
ae4a3acb670cfc6d493f0947db9a197b1086c1287714e51632bfa8549ac78a7c
njrat
ed32f2ebfc103f4c81e6e0bf07c269eba45692bb061b9cb28402a74f57871831
njrat
+ 439 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked evasion trojan
Link:
https://tria.ge/reports/230226-jh4crsgc62/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
njRAT/Bladabindi
Malware Config
C2 Extraction:
2.tcp.eu.ngrok.io:15768
Unpacked files
SH256 hash:
1ce3569751cdb290358824f5e2c341bdd73de729c9c995ca901417684bb1a0c5
MD5 hash:
7fc6ad338950135c2a686374226c5a05
SHA1 hash:
e1dd04402e1cabd6e2d4e51944506dbb690c0c59
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/b313ef3c-94bd-415f-b8f6-63bc9cb4b05a/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ce3569751cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ce3569751cdb290358824f5e2c341bdd73de729c9c995ca901417684bb1a0c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:win_xorist_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xorist.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369781/

Comments